kallithea Changeset - 959a9fa7d1a1

Changeset - 959a9fa7d1a1

Parent rev.

Child rev.

[Not reviewed]

default

0 9 0

Mads Kiilerich - 11 years ago 2015-03-27 16:25:27
madski@unity3d.com

controllers: remove old auth_token checks - it was only partial CSRF protection

9 files changed with 38 insertions and 73 deletions:

kallithea/controllers/admin/repos.py

kallithea/controllers/journal.py

kallithea/lib/helpers.py

kallithea/public/js/base.js

kallithea/templates/admin/repos/repo_edit_advanced.html

kallithea/templates/base/base.html

kallithea/templates/data_table/_dt_elements.html

kallithea/templates/summary/summary.html

kallithea/tests/functional/test_journal.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -38,13 +38,12 @@ from sqlalchemy.sql.expression import fu @@
 from kallithea.lib import helpers as h
 from kallithea.lib.auth import LoginRequired, HasPermissionAllDecorator, \
     HasRepoPermissionAllDecorator, NotAnonymous,HasPermissionAny, \
     HasRepoGroupPermissionAny, HasRepoPermissionAnyDecorator
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.utils import action_logger, repo_name_slug, jsonify
 from kallithea.lib.helpers import get_token
 from kallithea.lib.vcs import RepositoryError
 from kallithea.model.meta import Session
 from kallithea.model.db import User, Repository, UserFollowing, RepoGroup,\
     Setting, RepositoryField
 from kallithea.model.forms import RepoForm, RepoFieldForm, RepoPermsForm
 from kallithea.model.scm import ScmModel, RepoGroupList, RepoList
@@ @@ -513,29 +512,23 @@ class ReposController(BaseRepoController @@
         Sets this repository to be visible in public journal,
         in other words asking default user to follow this repo
         :param repo_name:
         """
         cur_token = request.POST.get('auth_token')
         token = get_token()
         if cur_token == token:
             try:
                 repo_id = Repository.get_by_repo_name(repo_name).repo_id
                 user_id = User.get_default_user().user_id
                 self.scm_model.toggle_following_repo(repo_id, user_id)
                 h.flash(_('Updated repository visibility in public journal'),
                         category='success')
                 Session().commit()
             except Exception:
                 h.flash(_('An error occurred during setting this'
                           ' repository in public journal'),
                         category='error')
         else:
             h.flash(_('Token mismatch'), category='error')
         try:
             repo_id = Repository.get_by_repo_name(repo_name).repo_id
             user_id = User.get_default_user().user_id
             self.scm_model.toggle_following_repo(repo_id, user_id)
             h.flash(_('Updated repository visibility in public journal'),
                     category='success')
             Session().commit()
         except Exception:
             h.flash(_('An error occurred during setting this'
                       ' repository in public journal'),
                     category='error')
         return redirect(url('edit_repo_advanced', repo_name=repo_name))
     @HasRepoPermissionAllDecorator('repository.admin')
     def edit_advanced_fork(self, repo_name):
         """

kallithea/controllers/journal.py

➞

Show inline comments

@@ @@ -301,39 +301,34 @@ class JournalController(BaseController): @@
             .all()
         return self._rss_feed(following, public=False)
     @LoginRequired()
     @NotAnonymous()
     def toggle_following(self):
         cur_token = request.POST.get('auth_token')
         token = h.get_token()
         if cur_token == token:
         user_id = request.POST.get('follows_user_id')
         if user_id:
             try:
                 self.scm_model.toggle_following_user(user_id,
                                             self.authuser.user_id)
                 Session.commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
             user_id = request.POST.get('follows_user_id')
             if user_id:
                 try:
                     self.scm_model.toggle_following_user(user_id,
                                                 self.authuser.user_id)
                     Session.commit()
                     return 'ok'
                 except Exception:
                     log.error(traceback.format_exc())
                     raise HTTPBadRequest()
         repo_id = request.POST.get('follows_repo_id')
         if repo_id:
             try:
                 self.scm_model.toggle_following_repo(repo_id,
                                             self.authuser.user_id)
                 Session.commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
             repo_id = request.POST.get('follows_repo_id')
             if repo_id:
                 try:
                     self.scm_model.toggle_following_repo(repo_id,
                                                 self.authuser.user_id)
                     Session.commit()
                     return 'ok'
                 except Exception:
                     log.error(traceback.format_exc())
                     raise HTTPBadRequest()
         log.debug('token mismatch %s vs %s' % (cur_token, token))
         raise HTTPBadRequest()
     @LoginRequired()
     def public_journal(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page', 1), 1)

kallithea/lib/helpers.py

➞

Show inline comments

@@ @@ -131,29 +131,12 @@ def FID(raw_id, path): @@
     :param path:
     """
     return 'C-%s-%s' % (short_id(raw_id), md5(safe_str(path)).hexdigest()[:12])
 def get_token():
     """Return the current authentication token, creating one if one doesn't
     already exist.
     """
     token_key = "_authentication_token"
     from pylons import session
     if not token_key in session:
         try:
             token = hashlib.sha1(str(random.getrandbits(128))).hexdigest()
         except AttributeError:  # Python < 2.4
             token = hashlib.sha1(str(random.randrange(2 ** 128))).hexdigest()
         session[token_key] = token
         if hasattr(session, 'save'):
             session.save()
     return session[token_key]
 class _GetError(object):
     """Get error from form_errors, and represent it as span wrapped error
     message
     :param field_name: field to fetch errors for
     :param form_errors: form errors dict

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -455,26 +455,22 @@ var _onSuccessFollow = function(target){ @@
             var cnt = Number($f_cnt.html())-1;
             $f_cnt.html(cnt);
+        }
+    }
+}
-var toggleFollowingRepo = function(target, follows_repo_id, token, user_id){
 var toggleFollowingRepo = function(target, follows_repo_id){
     var args = 'follows_repo_id=' + follows_repo_id;
     args += '&amp;auth_token=' + token;
     if(user_id != undefined){
         args +="&amp;user_id=" + user_id;
+    }
     $.post(TOGGLE_FOLLOW_URL, args, function(data){
             _onSuccessFollow(target);
         });
     return false;
 };
 var showRepoSize = function(target, repo_name, token){
     var args = 'auth_token=' + token;
 var showRepoSize = function(target, repo_name){
     var args = '';
     if(!$("#" + target).hasClass('loaded')){
         $("#" + target).html(_TM['Loading ...']);
         var url = pyroutes.url('repo_size', {"repo_name":repo_name});
         $.post(url, args, function(data) {
             $("#" + target).html(data);

kallithea/templates/admin/repos/repo_edit_advanced.html

➞

Show inline comments

@@ @@ -19,13 +19,12 @@ ${h.end_form()} @@
     })
 </script>
 <h3>${_('Public Journal Visibility')}</h3>
 ${h.form(url('edit_repo_advanced_journal', repo_name=c.repo_info.repo_name), method='put')}
 <div class="form">
   ${h.hidden('auth_token',str(h.get_token()))}
   <div class="field">
   %if c.in_public_journal:
     <button class="btn btn-small" type="submit">
         <i class="icon-minus"></i>
         ${_('Remove from public journal')}
     </button>

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -173,13 +173,13 @@ @@
                 %endif
               %endif
               ## TODO: this check feels wrong, it would be better to have a check for permissions
               ## also it feels like a job for the controller
               %if c.authuser.username != 'default':
                   <li>
-                   <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id},'${str(h.get_token())}');">
                    <a class="${follow_class()}" onclick="javascript:toggleFollowingRepo(this,${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i> ${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i> ${_('Unfollow')}</span>
                   </a>
                   </li>
                   <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i> ${_('Fork')}</a></li>
                   <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i> ${_('Create Pull Request')}</a></li>

kallithea/templates/data_table/_dt_elements.html

➞

Show inline comments

@@ @@ -209,9 +209,9 @@ @@
     <i class="icon-users" title="${_('User group')}"></i> ${user_group_name}</a>
   </div>
 </%def>
 <%def name="toggle_follow(repo_id)">
   <span id="follow_toggle_${repo_id}" class="following" title="${_('Stop following this repository')}"
-        onclick="javascript:toggleFollowingRepo(this, ${repo_id},'${str(h.get_token())}')">
         onclick="javascript:toggleFollowingRepo(this, ${repo_id})">
   </span>
 </%def>

kallithea/templates/summary/summary.html

➞

Show inline comments

@@ @@ -154,13 +154,13 @@ summary = lambda n:{False:'summary-short @@
                 <span class="stats-bullet">${c.repository_forks}</span>
               </a>
             </li>
             %if c.authuser.username != 'default':
             <li class="repo_size">
-              <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}','${str(h.get_token())}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
               <a href="#" onclick="javascript:showRepoSize('repo_size_2','${c.db_repo.repo_name}')"><i class="icon-ruler"></i> ${_('Repository Size')}</a>
               <span  class="stats-bullet" id="repo_size_2"></span>
             </li>
             %endif
             <li>
             %if c.authuser.username != 'default':

kallithea/tests/functional/test_journal.py

➞

Show inline comments

@@ @@ -20,14 +20,13 @@ class TestJournalController(TestControll @@
 #            .filter(UserFollowing.follows_repository == repo).all()
+#
 #        assert len(followings) == 1, 'Not following any repository'
+#
 #        response = self.app.post(url(controller='journal',
 #                                     action='toggle_following'),
 #                                     {'auth_token':get_token(session),
 #                                      'follows_repo_id':repo.repo_id})
 #                                     {'follows_repo_id':repo.repo_id})
     def test_start_following_repository(self):
         self.log_user()
         response = self.app.get(url(controller='journal', action='index'),)
     def test_public_journal_atom(self):

0 comments (0 inline, 0 general)